It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.
Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20

Patch Tuesday / Software Updates

It's the second Tuesday of the month, and Microsoft has released another set of security updates to fix a total of 97 flaws impacting its software, one of which has been actively exploited in ransomware attacks in the wild.

Seven of the 97 bugs are rated Critical and 90 are rated Important in severity. Interestingly, 45 of the shortcomings are remote code execution flaws, followed by 20 elevation of privilege vulnerabilities. The updates also follow fixes for 26 vulnerabilities in its Edge browser that were released over the past month.

The security flaw that's come under active exploitation is CVE-2023-28252 (CVSS score: 7.8), a privilege escalation bug in the Windows Common Log File System (CLFS) Driver.

"An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory, crediting researchers Boris Larin, Genwei Jiang, and Quan Jin for reporting the issue.

CVE-2023-28252 is the fourth privilege escalation flaw in the CLFS component that has come under active abuse in the past year alone after CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376 (CVSS scores: 7.8). At least 32 vulnerabilities have been identified in CLFS since 2018.

According to Russian cybersecurity firm Kaspersky, the vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.

"CVE-2023-28252 is an out-of-bounds write (increment) vulnerability that can be exploited when the system attempts to extend the metadata block," Larin said. "The vulnerability gets triggered by the manipulation of the base log file."

In light of ongoing exploitation of the flaw, CISA added the Windows zero-day to its catalog of Known Exploited Vulnerabilities (KEV), ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by May 2, 2023.

Also patched are critical remote code execution flaws impacting DHCP Server Service, Layer 2 Tunneling Protocol, Raw Image Extension, Windows Point-to-Point Tunneling Protocol, Windows Pragmatic General Multicast, and Microsoft Message Queuing (MSMQ).

The MSMQ bug, tracked as CVE-2023-21554 (CVSS score: 9.8) and dubbed QueueJumper by Check Point, could lead to unauthorized code execution and take over a server by sending a specially crafted malicious MSMQ packet to an MSMQ server.

"The CVE-2023-21554 vulnerability allows an attacker to potentially execute code remotely and without authorization by reaching the TCP port 1801," Check Point researcher Haifei Li said. "In other words, an attacker could gain control of the process through just one packet to the 1801/tcp port with the exploit, triggering the vulnerability."

Two other flaws discovered in MSMQ, CVE-2023-21769 and CVE-2023-28302 (CVSS scores: 7.5), could be exploited to cause a denial-of-service (DoS) condition such as a service crash and Windows Blue Screen of Death (BSoD).

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

Microsoft has also updated its advisory for CVE-2013-3900, a WinVerifyTrust signature validation vulnerability, to include the following Server Core installation versions -

*   Windows Server 2008 for 32-bit Systems Service Pack 2
*   Windows Server 2008 for x65-based Systems Service Pack 2
*   Windows Server 2008 R2 for x64-based Systems Service 1
*   Windows Server 2012
*   Windows Server 2012 R2
*   Windows Server 2016
*   Windows Server 2019, and
*   Windows Server 2022

The development comes as North Korea-linked threat actors have been observed leveraging the flaw to incorporate encrypted shellcode into legitimate libraries without invalidating the Microsoft-issued signature.

**Software Patches from Other Vendors**

In addition to Microsoft, security updates have also been released by other vendors in the last few weeks to rectify several vulnerabilities, including —

*   Adobe
*   AMD
*   Android
*   Apache Projects
*   Apple
*   Arm
*   Aruba Networks
*   Cisco
*   Citrix
*   CODESYS
*   Dell
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NETGEAR
*   NVIDIA
*   Palo Alto Networks
*   Qualcomm
*   Samba
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   SonicWall, and
*   Sophos

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Urgent: Microsoft Issues Patches for 97 Flaws, Including Active Ransomware Exploit

Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.

**Microsoft** today released software updates to plug 100 security holes in its **Windows** operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, **Apple** has released a set of important updates addressing _two_ zero-day vulnerabilities that are being used to attack **iPhones**, **iPads** and **Macs**.

On April 7, Apple issued emergency security updates to fix two weaknesses that are being actively exploited, including CVE-2023-28206, which can be exploited by apps to seize control over a device. CVE-2023-28205 can be used by a malicious or hacked website to install code.

Both vulnerabilities are addressed in iOS/iPadOS 16.4.1, iOS 15.7.5, and macOS 12.6.5 and 11.7.6. If you use Apple devices and you don’t have automatic updates enabled (they are on by default), you should probably take care of that soon as detailed instructions on how to attack CVE-2023-28206 are now public.

Microsoft’s bevy of 100 security updates released today include CVE-2023-28252, which is a weakness in Windows that Redmond says is under active attack. The vulnerability is in the **Windows Common Log System File System** (CLFS) driver, a core Windows component that was the source of attacks targeting a different zero-day vulnerability in February 2023.

“If it seems familiar, that’s because there was a similar 0-day patched in the same component just two months ago,” said **Dustin Childs** at the **Trend Micro Zero Day Initiative**. “To me, that implies the original fix was insufficient and attackers have found a method to bypass that fix. As in February, there is no information about how widespread these attacks may be. This type of exploit is typically paired with a code execution bug to spread malware or ransomware.”

According to the security firm **Qualys**, this vulnerability has been leveraged by cyber criminals to deploy **Nokoyawa** ransomware.

“This is a relatively new strain for which there is some open source intel to suggest that it is possibly related to Hive ransomware – one of the most notable ransomware families of 2021 and linked to breaches of over 300+ organizations in a matter of just a few months,” said **Bharat Jogi**, director of vulnerability and threat research at Qualys.

Jogi said while it is still unclear which exact threat actor is targeting CVE-2023-28252, targets have been observed in South and North America, regions across Asia and at organizations in the Middle East.

**Satnam Narang** at **Tenable** notes that CVE-2023-28252 is also the second CLFS zero-day disclosed to Microsoft by researchers from **Mandiant** and **DBAPPSecurity** (CVE-2022-37969), though it is unclear if both of these discoveries are related to the same attacker.

Seven of the 100 vulnerabilities Microsoft fixed today are rated “Critical,” meaning they can be used to install malicious code with no help from the user. Ninety of the flaws earned Redmond’s slightly less-dire “Important” label, which refers to weaknesses that can be used to undermine the security of the system but which may require some amount of user interaction.

Narang said Microsoft has rated nearly 90% of this month’s vulnerabilities as “Exploitation Less Likely,” while just 9.3% of flaws were rated as “Exploitation More Likely.” **Kevin Breen** at **Immersive Labs** zeroed in on several notable flaws in that 9.3%, including CVE-2023-28231, a remote code execution vulnerability in a core Windows network process (DHCP) with a CVSS score of 8.8.

“‘Exploitation more likely’ means it’s not being actively exploited but adversaries may look to try and weaponize this one,” Breen said. “Micorosft does note that successful exploitation requires an attacker to have already gained initial access to the network. This could be via social engineering, spear phishing attacks, or exploitation of other services.”

Breen also called attention to CVE-2023-28220 and CVE-2023-28219 — a pair of remote code execution vulnerabilities affecting **Windows Remote Access Servers** (RAS) that also earned Microsoft’s “exploitation more likely” label.

“An attacker can exploit this vulnerability by sending a specially crafted connection request to a RAS server, which could lead to remote code execution,” Breen said. While not standard in all organizations, RAS servers typically have direct access from the Internet where most users and services are connected. This makes it extremely enticing for attackers as they don’t need to socially engineer their way into an organization. They can simply scan the internet for RAS servers and automate the exploitation of vulnerable devices.”

For more details on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

Microsoft (& Apple) Patch Tuesday, April 2023 Edition

By Habiba Rashid
Citizens Lab and Microsoft have exposed an Israeli firm, QuaDream, selling spyware to governments around the world.
This is a post from HackRead.com Read the original post: QuaDream: Israeli Cyber Mercenary Behind iPhone Hacks

**Government hackers equipped with QuaDream’s exploit used malicious calendar invites with dates in the past to deliver spyware.**

A little-known cyber mercenary company, QuaDream, has been identified by researchers at Microsoft and digital rights group Citizen Lab as the creator of malware that was used to hack into the iPhones of journalists, political opposition figures, and an NGO worker.

QuaDream, an Israeli spyware maker, reportedly develops zero-click exploits, which are hacking tools that do not require the target to click on malicious links, for iPhones. The final payload of QuaDream’s malware includes recording phone calls, surreptitiously capturing audio using the phone’s microphone, taking pictures, stealing files, tracking the person’s granular location, and deleting forensic traces of its existence.

Credit: Citizen Lab

Citizen Lab’s report states that its researchers were able to trace QuaDream’s spyware by identifying particular marks left by the malware, which they have referred to as the “Ectoplasm Factor.” However, the researchers have decided not to disclose these marks to ensure their ability to track the malware in the future.

The researchers have identified more than five victims, including an NGO worker, politicians, and journalists, whose iPhones were hacked in Europe, North America, the Middle East, and Southeast Asia. However, the researchers have decided not to disclose the victims’ names, as they do not want to jeopardize their safety.

The fact that the victims are in different countries also makes it harder for them to come forward, according to a senior researcher at Citizen Lab.

Although QuaDream has managed to stay under the radar, Israeli newspaper Haaretz reported in 2021 that it sold its wares to Saudi Arabia. A year later, Reuters reported that QuaDream sold an exploit to hack iPhones, which is comparable to the one provided by NSO Group.

It’s important to note that QuaDream does not run the spyware itself, but rather its government customers operate it, which is a common practice in the surveillance technology sector.

According to internet scans conducted by Citizen Lab, QuaDream’s customers operated servers in several countries worldwide, including the following:

*   Israel
*   Ghana
*   Mexico
*   Bulgaria
*   Romania
*   Hungary
*   Singapore
*   Uzbekistan
*   Czech Republic
*   United Arab Emirates (UAE)

In a blog post, Microsoft labelled QuaDream as an Israel-based private sector offensive actor (PSOA) who sells REIGN, a suite of exploits to governments. This suite includes malware and infrastructure developed to exfiltrate data from targeted smartphones.

The exploit utilized by QuaDream was created for iOS 14 and was a zero-day vulnerability, meaning it was not yet fixed or known by Apple at the time. Government hackers equipped with QuaDream’s exploit used malicious calendar invites with dates in the past to deliver the malware, which did not trigger a notification on the phone, making them invisible to the target.

QuaDream uses a Cyprus-based company called InReach to sell its products, according to Citizen Lab researchers, and this has been confirmed by a person who has worked in the spyware industry.

The discovery of QuaDream’s malware highlights once again that the spyware industry is not only made up of NSO Group but there are several other companies, most of which are still flying under the radar.

1.  Google spots spyware attack on Android and iOS
2.  NSO 0-click exploit hacks iPhones without clicking links
3.  Thai Activists’ iPhone Hacked by Israeli Pegasus Spyware
4.  Predator Spyware Using 0-day to Target Android Devices
5.  Hackers can Install Malware on iPhones even if Turned Off

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

QuaDream: Israeli Cyber Mercenary Behind iPhone Hacks

The April 2023 Patch Tuesday security update also included a reissue of a fix for a 10-year-old bug that a threat actor recently exploited in the supply chain attack on 3CX.

Microsoft's Patch Tuesday security update for April 2023 contains patches for 97 CVEs, including one zero-day bug under active exploit in ransomware attacks, another that's a reissue of a fix for a flaw from 2013 that a threat actor recently exploited in a supply chain attack on 3CX, and a wormable bug rated critical in severity.

Microsoft identified a total of seven of the bugs it fixed this month as being of critical severity, which typically means organizations need to make them a top priority from a patch implementation standpoint.

**Zero-Day Used in Ransomware Attacks**

Nearly half, or 45, of the vulnerabilities in the April update enable remote code execution (RCE), a significant uptick from the average of 33 RCE bugs that Microsoft has reported in each of the previous three months. Even so, the company rated nearly 90% of the CVEs in the latest batch as bugs that cyberattackers are less likely to exploit — just 9% are characterized as flaws that threat actors are more likely to exploit.

The zero-day bug, tracked as CVE-2023-28252, is an elevation-of-privilege vulnerability in the Windows Common Log File System (CLFS) that affects all supported versions of Windows 10 and Windows Server. It is the second CLFS zero day in recent months — the other was CVE-2022-37969 — and it gives adversaries who already have access to the platform a way to gain highly privileged system-level privileges. 

"This vulnerability leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system," said Gina Geisel, a security researcher at Automox. To exploit the flaw, an attacker would need to log in to a system and then execute a malicious binary to elevate privileges. 

"Automox recommends patch deployment within 24 hours since this is an actively exploited zero-day," Geisel said in emailed comments to Dark Reading.

In a blog post issued in tandem with Microsoft's update, Kaspersky said its researchers had observed a threat actor exploiting CVE-2023-28252 to deliver Nokoyawa ransomware on systems belonging to small and midsized organizations in North America, the Middle East, and Asia. The security vendor's analysis shows that the exploits are similar to already-known driver exploits targeting CLFS. 

"The exploit was highly obfuscated with more than 80% of its code being 'junk' elegantly compiled into the binary," according to the analysis. Kaspersky researchers said they reported the bug to Microsoft after observing an adversary using it in ransomware attacks in February.

**A Patch From the Past**

Another patch in Microsoft's April update that researchers are recommending organizations pay attention to is CVE-2013-3900, a 10-year-old signature validation vulnerability in the Windows WinVerifyTrust function. A threat actor — believed to be North Korea's Lazarus Group — recently exploited the flaw in a supply-chain attack on 3CX that resulted in malware landing on systems belonging to users of the company's video-conferencing software. 

When Microsoft released the patch in 2013, the company had decided to make it an opt-in patch because of the potential for the fix to cause problems for some organizations. With the April security update, Microsoft has made the fix available for more platforms and provide more recommendations for organizations on how to address the issue. 

"Definitely take the time to review all of the recommendations, including the information on the Microsoft Trusted Root Program, and take the actions needed to protect your environment," Dustin Childs, researcher with Trend Micro's Zero Day Initiative (ZDI) said in a blog post.

**A Slew of RCE Vulnerabilities**

Researchers identified two of the critical vulnerabilities in April's batch as needing immediate action. One of them is CVE-2023-21554. 

The bug affects Microsoft Message Queuing (MSMQ) technology and gives attackers a way to gain RCE by sending a specially crafted MSMQ packet to a MSMQ server. The vulnerability affects Windows 10, 11, and Server 2008-2022 systems that have the message queuing feature enabled on their systems, Automox researcher Peter Pflaster said in emailed comments. Administrators should consider applying Microsoft patch for the issue ASAP, since the company has noted that threat actors are more likely to exploit the vulnerability.

That's just one of two critical vulnerabilities affecting the Windows Message Queuing system that Microsoft fixed this week. The other is CVE-2023-28250, a vulnerability in Windows Pragmatic Multicast that, like CVE-2023-21554, has a base score of 9.8 and is potentially wormable. 

"This patch Tuesday MSFT fixed some critical flaws, of which we would recommend organizations to prioritize patching vulnerabilities those that are actively being exploited and wormable," said Bharat Jogi, director of vulnerability and threat Research, at Qualys.

The other critical vulnerability that needs immediate fixing is CVE-2023-28231, a RCE bug in the DHCP Server service. Microsoft has assessed the bug as another issue that attackers are more likely to try and weaponize. To exploit the bug, an attacker would need prior access on a network. But once on it, the adversary could initiate remote code execution on the DHCP server, according to Kevin Breen, director of cyber threat research at Immersive Labs. 

"Microsoft recommends that DHCP services are not installed on Domain Controllers, however, smaller organizations will commonly see DC and DHCP services co-located. In this instance the impact could be a lot higher," Breen warned in emailed comments. Attackers that have control over DHCP servers could wreak considerable havoc on the network including stealing credentials for software-as-a-service (SaaS) products, or to carry out machine-in-the-middle (MITM) attacks, he noted.

Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs

# Microsoft Security Advisory CVE-2023-28260: .NET Remote Code Execution Vulnerability

## <a name="executive-summary"></a>Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET running on Windows where a runtime DLL can be loaded from an unexpected location, resulting in remote code execution.

## Announcement

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/250

### <a name="mitigation-factors"></a>Mitigation factors

Microsoft has not identified any mitigating factors for this vulnerability.

## <a name="affected-software"></a>Affected software

* Any .NET 7.0 application running on .NET 7.0.4 or earlier.
* Any .NET 6.0 application running on .NET 6.0.15 or earlier.

## Advisory FAQ

### <a name="how-affected"></a>How do I know if I am affected?

If you have a runtime or SDK with a version listed, or an affected package listed in [affected software](#affected-software), you're exposed to the vulnerability.

### <a name="how-fix"></a>How do I fix the issue?

* To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET  SDKs.
* If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the `dotnet --info` command. You will see output like the following;
* If you are using one of the affected packages, please update to the patched version listed above. 

```
.NET Core SDK (reflecting any global.json):

 Version:   6.0.300
 Commit:    8473146e7d

Runtime Environment:

 OS Name:     Windows
 OS Version:  10.0.18363
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\6.0.300\

Host (useful for support):

  Version: 6.0.5
  Commit:  8473146e7d

.NET Core SDKs installed:

  6.0.300 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:

  Microsoft.AspNetCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs:
  https://aka.ms/dotnet-download
```
* If you're using .NET 7.0, you should download and install Runtime 7.0.5 or SDK 7.0.203 (for Visual Studio 2022 v17.5) from https://dotnet.microsoft.com/download/dotnet-core/7.0.
* If you're using .NET 6.0, you should download and install Runtime 6.0.16 or SDK 6.0.311 (for Visual Studio 2022 v17.2) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) including [Native AOT](https://learn.microsoft.com/dotnet/core/deploying/native-aot/) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

## Other Information

### Reporting Security Issues

If you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at <https://aka.ms/corebounty>.

### Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

### Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

### Acknowledgements
[ycdxsb](https://github.com/ycdxsb) with [VARAS@IIE](http://www.iie.ac.cn/)

### External Links

[CVE-2023-28260]( https://www.cve.org/CVERecord?id=CVE-2023-28260)

### Revisions

V1.0 (April 11, 2023): Advisory published.

_Version 1.0_

_Last Updated 2023-04-11_

**Microsoft Security Advisory CVE-2023-28260: .NET Remote Code Execution Vulnerability****Executive summary**

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET running on Windows where a runtime DLL can be loaded from an unexpected location, resulting in remote code execution.

**Announcement**

Announcement for this issue can be found at dotnet/announcements#250

**Mitigation factors**

Microsoft has not identified any mitigating factors for this vulnerability.

**Affected software**

*   Any .NET 7.0 application running on .NET 7.0.4 or earlier.
*   Any .NET 6.0 application running on .NET 6.0.15 or earlier.

**Advisory FAQ****How do I know if I am affected?**

If you have a runtime or SDK with a version listed, or an affected package listed in affected software, you're exposed to the vulnerability.

**How do I fix the issue?**

*   To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
*   If you have .NET 6.0 or greater installed, you can list the versions you have installed by running the dotnet --info command. You will see output like the following;
*   If you are using one of the affected packages, please update to the patched version listed above.

    .NET Core SDK (reflecting any global.json):
    
     Version:   6.0.300
     Commit:    8473146e7d
    
    Runtime Environment:
    
     OS Name:     Windows
     OS Version:  10.0.18363
     OS Platform: Windows
     RID:         win10-x64
     Base Path:   C:\Program Files\dotnet\sdk\6.0.300\
    
    Host (useful for support):
    
      Version: 6.0.5
      Commit:  8473146e7d
    
    .NET Core SDKs installed:
    
      6.0.300 [C:\Program Files\dotnet\sdk]
    
    .NET Core runtimes installed:
    
      Microsoft.AspNetCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
      Microsoft.NETCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
      Microsoft.WindowsDesktop.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
    
    To install additional .NET Core runtimes or SDKs:
      https://aka.ms/dotnet-download
    

*   If you're using .NET 7.0, you should download and install Runtime 7.0.5 or SDK 7.0.203 (for Visual Studio 2022 v17.5) from https://dotnet.microsoft.com/download/dotnet-core/7.0.
*   If you're using .NET 6.0, you should download and install Runtime 6.0.16 or SDK 6.0.311 (for Visual Studio 2022 v17.2) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications including Native AOT targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

**Other Information****Reporting Security Issues**

If you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

**Support**

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

**Disclaimer**

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

**Acknowledgements**

ycdxsb with VARAS@IIE

**External Links**

CVE-2023-28260

**Revisions**

V1.0 (April 11, 2023): Advisory published.

_Version 1.0_

_Last Updated 2023-04-11_

**References**

*   GHSA-w4m3-43gp-x8hx
*   https://nvd.nist.gov/vuln/detail/CVE-2023-28260
*   https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28260
*   https://www.cve.org/CVERecord?id=CVE-2023-28260

GHSA-w4m3-43gp-x8hx: .NET Remote Code Execution Vulnerability

Microsoft Message Queuing Remote Code Execution Vulnerability

CVE-2023-21554

Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability

Tag

#microsoft